“If you don’t agree with the terms of this Privacy Policy, then please don’t use the Service.” – Spotify

Such were the words from the popular global music streaming service Spotify as it changed its privacy policy late August 2015 to follow suit of other big data broking services like Facebook.

The tech magazine, Wired, listed the new ways of Spotify planned to get data out of their users: Spotify wants to go through your phone. Spotify wants to know where you are going. It prompted thousands of comments – mostly furious – on Wired, Twitter, Facebook and all over the web.

According to the European data laws, a company must ask permission to give a person’s data to a third party. Therefore, Spotify asked their customers to ask all their contacts for their permission to hand over their contacts to Spotify. Today, with the current data laws you can get away with a lot, as long as you have users’ consent. It is not clear whether Spotify’s approach – not really seen often – is legal. But it is a good questions whether it is data ethical to ask you customers to compromise all their contacts’ privacy.

Not everybody, of course, will think of their contacts as sensitive like Poul Mason in The Guardian “As my phone-contacts list includes CEOs and prime ministers, and because my photostream includes snapshots of leaked documents, I will still be thinking very carefully about whether to stay on Spotify.”

But as most other tech companies, Spotify thinks of its customers. One of them was the Minecraft creator Markus “Notch” Persson, who wrote on Twitter:

Notch has over 2.4 million Twitter followers, and that obviously made the CEO of Spotify Daniel Ek go out and say he was sorry. Then he backpedaled a bit giving users a choice of saying no and staying with Spotify.

What will probably happen now is that the majority of Spotify users will accept giving away the content of their phones to Spotify, because the service cheap or free and very convenient. But even with a super pro head of communications and public policy, Jonathan Prince, a veteran Washington communicator and Clinton and Obama administration hand, the company will also be left with some serious scratches in its reputation.

Ask for forgiveness

The strategy Spotify has adopted is what we have seen again and again from Facebook; Don’t ask for permission, as for forgiveness. If you ask first, you get a no. If you say you are sorry, most will stay. You risk less, and you can always pay your way out with a settlement.

A pretty unusual business approach for ethical companies, who often will contact their country’s data authority before they make major changes in their data dealing.

The Spotify approach, however, seems to still be successful, as many users are not aware of the value of their data and their privacy and that they are sometimes paying a much higher price for cheap or free than they anticipate.

Data is the dominant currency in the online business model today, and Spotify, orginally Swedish, is on its way to IPO. It might feel forced to follow this model of harvesting as much data as possible from its user behind their backs – just in case they can monetize it later. Even data which is not necessary to deliver the service. Collect data for later often satisfies investors.

This business model might come under pressure with the coming EU Data Protection Regulation, which is much more in accordance with the way data is used and abused today, and where all the EU countries will work together on the enforcement. But the real enforcement will happen by the users.

Spotify is still the ‘winner takes it all’ in the digital music industry, but there are more and more alternatives; music from local telecom services like Wimp and Yousee in Denmark or Apple Music, Rdio, YouTube via TOR or Tidal, who may be only collect the data needed for the service.

The Young Ones Will Press for Change

For most companies young users are vital. And Spotify has a lot of them. Until recently experts tended to believe that young people did not care about their privacy. A new survey proves them wrong.

According to a KPMG survey, 97% of 18-24 year olds refuse to allow their details to be passed on, regardless of the benefits being offered in return. Other surveys like this from Symantec and this from The Danish Business Authority and IDA indicates that the young ones are much more aware of the value of their data. So, in the long run, companies betting on data, better look for more sustainable data models.